NIXPKGS-2026-0972

GitHub issue published on

Permalink CVE-2026-35471

updated 3 weeks, 5 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 6 days ago
@LeSuisse accepted 3 weeks, 5 days ago
@LeSuisse published on GitHub 3 weeks, 5 days ago

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-6qcc-6q27-whp8 x_refsource_CONFIRM

Affected products

goshs

==< 2.0.0-beta.3

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

nixos-unstable 1.1.4
- nixpkgs-unstable 1.1.4
- nixos-unstable-small 1.1.4
nixos-25.11 1.1.2
- nixos-25.11-small 1.1.2
- nixpkgs-25.11-darwin 1.1.2

Package maintainers

@SEIAROTg SEIAROTg
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0972

References

Affected products

Matching in nixpkgs

pkgs.goshs

Package maintainers